Attacking the Internet’s Backbone: DNS Hijacking, BGP Attacks

The Trust Problem at the Internet’s Core

The internet’s two most fundamental protocols — BGP (Border Gateway Protocol) and DNS (Domain Name System) — were designed in an era when the network was a small, trusted community of researchers. BGP, which determines how traffic is routed between the more than 80,000 autonomous systems (AS) that comprise the internet, operates on a handshake-and-trust model: when an AS announces that it can route traffic to a particular IP address block, neighboring networks accept that announcement at face value. DNS, which translates domain names to IP addresses for every website visit, email delivery, and API call on the internet, was similarly designed without authentication — a DNS response is trusted simply because it arrives.

This foundational trust has made BGP and DNS the most consequential attack surfaces on the internet. A successful BGP hijack can redirect entire blocks of internet traffic through an attacker’s network, enabling mass surveillance, credential theft, or traffic manipulation at scale. A DNS attack can redirect users to fraudulent versions of any website — banks, email providers, government services — capturing credentials and sensitive data from victims who see the correct URL in their browser. These are not theoretical risks: they are demonstrated, documented, and ongoing.

The stakes are existential. Unlike application-level attacks that compromise individual systems, infrastructure-level attacks compromise the routing and naming fabric that every internet service depends on. A BGP hijack affecting a major cloud provider’s IP space can disrupt millions of services simultaneously. A DNS compromise at the registrar or registry level can redirect an entire country’s web traffic. These attacks are the digital equivalent of rerouting highways and changing street signs — they affect everyone who uses the road.

BGP Hijacking: Rerouting the Internet

The most infamous BGP incident occurred on 24 February 2008 when Pakistan Telecom (AS17557), attempting to block YouTube domestically, accidentally announced BGP routes for YouTube’s IP prefix 208.65.153.0/24 to the global internet. Pakistan Telecom’s upstream provider PCCW Global (AS3491) forwarded the announcement worldwide, and within minutes YouTube traffic was routed to Pakistan Telecom’s network and dropped into a black hole. The outage lasted over two hours before YouTube recovered by announcing more specific /25 prefixes, exploiting BGP’s longest-prefix-match rule. This was accidental — deliberate BGP hijacks are far more sophisticated and harder to detect.

State-sponsored BGP manipulation has been documented extensively. Researchers Chris Demchak of the US Naval War College and Yuval Shavitt, a network security researcher, documented patterns of China Telecom using its ten points of presence in North America to reroute US and Canadian internet traffic through Chinese network infrastructure, findings subsequently confirmed by Oracle’s Internet Intelligence division. In 2019, a separate incident saw over 70,000 BGP routes leaked through China Telecom’s Frankfurt node, rerouting European mobile traffic through China for two hours. Whether these incidents represent deliberate interception or misconfiguration remains debated, but the pattern has drawn sustained scrutiny from Western intelligence agencies. In April 2018, a BGP hijack originating from eNET (AS10297) redirected traffic destined for Amazon’s Route 53 DNS service, enabling attackers to steal approximately $150,000 in Ethereum from MyEtherWallet users by serving a fraudulent DNS response through the hijacked path. Russian BGP manipulation has also been documented, including a December 2017 incident where traffic to Google, Facebook, Apple, and Microsoft was briefly rerouted through an obscure Russian autonomous system.

The defense against BGP hijacking is RPKI (Resource Public Key Infrastructure), a cryptographic framework that allows network operators to verify the legitimacy of BGP route announcements. With RPKI, an AS can create a ROA (Route Origin Authorization) cryptographically certifying which AS numbers are authorized to announce its IP address space. Networks that validate RPKI can then reject unauthorized announcements. As of late 2025, RPKI adoption has reached approximately 54% of announced IPv4 routes globally, up from roughly 14% in 2019 — a threefold increase in six years. ROA coverage grew 23% in 2025 alone, and three-quarters of all IP traffic is now bound for RPKI-secured destinations. Major networks including Cloudflare, Google, AT&T, and NTT validate RPKI, but the long tail of smaller ISPs and regional networks remains unprotected.

DNS Attacks: From Cache Poisoning to Registry Compromise

DNS attacks range from opportunistic cache poisoning to sophisticated state-sponsored campaigns targeting the DNS infrastructure itself. The Kaminsky Attack (2008) demonstrated that DNS cache poisoning — injecting fraudulent records into DNS resolver caches — was far easier than previously believed, prompting emergency industry-wide patches. DNSSEC (Domain Name System Security Extensions) was developed as the long-term solution, cryptographically signing DNS records to prevent tampering. Yet DNSSEC deployment remains incomplete: while most top-level domains are signed, end-to-end DNSSEC validation requires signing at every level of the DNS hierarchy, and many domains remain unsigned.

The Sea Turtle campaign, documented by Cisco Talos in April 2019, represented a new class of DNS threat. Rather than attacking DNS resolvers or caches, Sea Turtle compromised DNS registrars and registry operators — including Netnod, one of Sweden’s root DNS providers, and the registrar managing Armenia’s .am top-level domain — modifying the authoritative DNS records for targeted government, intelligence, and energy organizations. This allowed attackers to redirect victims to attacker-controlled servers that presented valid SSL certificates (obtained through the DNS compromise itself), making the redirection virtually undetectable to users. Talos assessed with high confidence that this was a state-sponsored operation, which compromised at least 40 organizations across 13 countries between January 2017 and early 2019.

DNSpionage, a related campaign first documented by Cisco Talos in November 2018, similarly targeted DNS infrastructure in the Middle East, initially compromising .gov domains in Lebanon and the UAE as well as a private Lebanese airline. FireEye’s Mandiant team subsequently identified a broader wave affecting dozens of domains belonging to government, telecommunications, and internet infrastructure entities across the Middle East, North Africa, Europe, and North America. The attackers used compromised DNS to redirect webmail and VPN portals, harvesting credentials from government employees who believed they were logging into legitimate systems. These campaigns demonstrated that attacking DNS infrastructure — registrars, registries, and authoritative servers — provides leverage that individual system compromises cannot match. A single DNS registrar compromise can redirect thousands of domains simultaneously.

Defenses and the Adoption Gap

The technical defenses against infrastructure-level attacks exist but face a persistent adoption gap. RPKI for BGP security, DNSSEC for DNS integrity, Certificate Transparency for TLS certificate verification, and MANRS (Mutually Agreed Norms for Routing Security) for network operator best practices collectively provide a robust defense framework. The problem is that internet security is a collective action challenge — each network’s security depends on every other network’s adoption of these protections.

Certificate Transparency (CT), introduced by Google in 2013 and now mandatory for all publicly trusted TLS certificates, has been one of the most successful infrastructure security initiatives. CT requires Certificate Authorities to log all issued certificates in publicly auditable logs, enabling domain owners to detect fraudulently issued certificates for their domains. The Sea Turtle attackers’ ability to obtain legitimate certificates through DNS compromise would be detectable through CT monitoring — but only if the targeted organization is actively monitoring CT logs for unauthorized certificate issuance.

The MANRS initiative, originally created by the Internet Society in 2014 and now operated by the Global Cyber Alliance since 2024, promotes four concrete actions for network operators: filtering (preventing propagation of incorrect routing information), anti-spoofing (preventing traffic with spoofed source IP addresses), coordination (maintaining up-to-date contact information for incident response), and global validation (publishing routing data for external validation). Over 1,000 network operators have committed to MANRS as of late 2025, with total participation across all programs reaching approximately 1,300 — but this represents a fraction of the 80,000+ autonomous systems on the internet. For nations like Algeria, where internet infrastructure passes through a small number of operators (primarily Algerie Telecom), national-level adoption of RPKI, DNSSEC, and MANRS standards by the primary ISPs would provide outsized protective benefit for the entire domestic internet ecosystem.

Frequently Asked Questions

Sources & Further Reading

• Cisco Talos – Sea Turtle DNS Hijacking Campaign
• Cisco Talos – DNSpionage Campaign Targets Middle East
• RIPE NCC – YouTube Hijacking: A RIS Case Study
• Internet Society – Amazon Route 53 BGP Hijack Analysis
• APNIC Blog – RPKI’s 2025 Year in Review
• APNIC Blog – BGP in 2025
• MANRS – Mutually Agreed Norms for Routing Security
• Cloudflare – Is BGP Safe Yet?
• Google Certificate Transparency Project
• Kentik Blog – A Brief History of the Internet’s Biggest BGP Incidents
• FireEye/Mandiant – Global DNS Hijacking Campaign
• IEEE ComSoc – Oracle Confirms China Telecom Misdirected US Internet Traffic